SlideShare ist ein Scribd-Unternehmen logo

Memory Forensics Volatility2.4

Sunil Kumar
Sunil Kumar

This document provides an overview of analyzing memory forensics using Volatility 2.4. It demonstrates running various Volatility plugins like pstree to print processes, connscan to scan for TCP connections, printkey to print registry keys and values, and malfind to find hidden code injections. The document analyzes a Zeus memory sample, identifying processes, connections, registry keys used by the malware, and injected code, showing how Volatility can be used to analyze malware behavior and artifacts in memory forensics.

Software
1 von 10
Downloaden Sie, um offline zu lesen
{ Null Humla Session 0.1 Memory forensics with Volatility2.4
 Usage  Vol.py –f image --profile=(imageinfo) –plugins  -f parameter  It is used to locate the source memory image  Vol.py –f sality.vmem  imageinfo  To identify the memory image  Vol.py –f sality.vmem imageinfo  Vol.py –f sality.vmem –proflie=WinXPSP2x86 connscan Steps in Analysing
pstree  Prints the process list in tree structure. Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 pstree
Connscan  Scans for tcp connections Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 connscan
 Lets run the pstree command again….. Interesting connections ??
Printkey  Print a registry key and its subkey and values Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsCurrentVersionRun” Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsNTCurrentVersion Winlogon”
Malfind  Find hidden or injected code/Dll Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind –dump-dir ~/code-injections
Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind -p 856 –dump-dir ~/code-injections Too much data ?? Let’s narrow it down !!!
Vol.py –f zeus.vmem printkey –K “ControlSet001ServicesSharedAccess ParametersFirewallPolicyStandard Profile” This malware shutdowns firewall also …..
EOF…. QUESTIONS …..

Empfohlen

Glusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsGlusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsPranith Karampuri
 
Glusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsGlusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsPranith Karampuri
 
Tmux Development Workflow
Tmux Development WorkflowTmux Development Workflow
Tmux Development Workflowjschembri
 
Sistemas operacionais 13
Sistemas operacionais 13Sistemas operacionais 13
Sistemas operacionais 13Nauber Gois
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linuxReskyRian
 
Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#priya Nithya
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemRoziq Bahtiar
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chandernforceit
 

Empfohlen

Glusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsGlusterfs session #18 intro to fuse and its trade offs
Glusterfs session #18 intro to fuse and its trade offsPranith Karampuri
 
Glusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsGlusterfs session #8 memory tracking infra, io-threads
Glusterfs session #8 memory tracking infra, io-threadsPranith Karampuri
 
Tmux Development Workflow
Tmux Development WorkflowTmux Development Workflow
Tmux Development Workflowjschembri
 
Sistemas operacionais 13
Sistemas operacionais 13Sistemas operacionais 13
Sistemas operacionais 13Nauber Gois
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linuxReskyRian
 
Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#Creating a Name seperator Custom Control using C#
Creating a Name seperator Custom Control using C#priya Nithya
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemRoziq Bahtiar
 
PenTest using Python By Purna Chander
PenTest using Python By Purna ChanderPenTest using Python By Purna Chander
PenTest using Python By Purna Chandernforceit
 
Tmux tips and_tricks
Tmux tips and_tricksTmux tips and_tricks
Tmux tips and_tricksArc & Codementor
 
Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Controlahmad bassiouny
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesPranith Karampuri
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksMd Shihab
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwiftshark-sea
 
Using strace
Using straceUsing strace
Using straceRyan Robson
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكShwana M
 
Debian
DebianDebian
DebianYUDDYAL HAMDANIL
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursorsBill Kunneke
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview鵬 大
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introductionPranith Karampuri
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupДмитрий Бумов
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password resetMd Shihab
 
Unix environment
Unix environmentUnix environment
Unix environmentEr Mittinpreet Singh
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstJawad Khan
 
Unix environment [autosaved]
Unix environment [autosaved]Unix environment [autosaved]
Unix environment [autosaved]Er Mittinpreet Singh
 
Unix
UnixUnix
UnixHari Krishna
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationJacobMenke1
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummiesEduardo Otubo
 
Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linuxgt0ne
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 

Weitere ähnliche Inhalte

Was ist angesagt?

Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Controlahmad bassiouny
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesPranith Karampuri
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksMd Shihab
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwiftshark-sea
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكShwana M
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursorsBill Kunneke
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview鵬 大
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introductionPranith Karampuri
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password resetMd Shihab
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstJawad Khan
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationJacobMenke1
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummiesEduardo Otubo
 

Was ist angesagt? (20)

Tmux tips and_tricks
Tmux tips and_tricksTmux tips and_tricks
Tmux tips and_tricks
 
Processes And Job Control
Processes And Job ControlProcesses And Job Control
Processes And Job Control
 
Glusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecyclesGlusterfs session #5 inode t, fd-t lifecycles
Glusterfs session #5 inode t, fd-t lifecycles
 
RedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative worksRedHat/CentOs Commands for administrative works
RedHat/CentOs Commands for administrative works
 
Combine vs RxSwift
Combine vs RxSwiftCombine vs RxSwift
Combine vs RxSwift
 
Using strace
Using straceUsing strace
Using strace
 
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاكreport about hack رابؤرتيكدةربارةي (لةسةر) هاك
report about hack رابؤرتيكدةربارةي (لةسةر) هاك
 
Debian
DebianDebian
Debian
 
Mongo db tailable cursors
Mongo db tailable cursorsMongo db tailable cursors
Mongo db tailable cursors
 
Zfs replication overview
Zfs replication overviewZfs replication overview
Zfs replication overview
 
Glusterfs session #13 replication introduction
Glusterfs session #13 replication introductionGlusterfs session #13 replication introduction
Glusterfs session #13 replication introduction
 
Partyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeupPartyhack 3.0 - Telegram bugbounty writeup
Partyhack 3.0 - Telegram bugbounty writeup
 
Rhel 7 root password reset
Rhel 7 root password resetRhel 7 root password reset
Rhel 7 root password reset
 
Unix environment
Unix environmentUnix environment
Unix environment
 
Emuladores
EmuladoresEmuladores
Emuladores
 
Installation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling firstInstallation of ubuntu, ns3 and compiling first
Installation of ubuntu, ns3 and compiling first
 
Unix environment [autosaved]
Unix environment [autosaved]Unix environment [autosaved]
Unix environment [autosaved]
 
Unix
UnixUnix
Unix
 
Ultimate Unix Meetup Presentation
Ultimate Unix Meetup PresentationUltimate Unix Meetup Presentation
Ultimate Unix Meetup Presentation
 
QEMU Sandboxing for dummies
QEMU Sandboxing for dummiesQEMU Sandboxing for dummies
QEMU Sandboxing for dummies
 

Ähnlich wie Memory Forensics Volatility2.4

Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linuxgt0ne
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
List command linux fidora
List command linux fidoraList command linux fidora
List command linux fidoraJinyuan Loh
 
Terminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedTerminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedNavin Thapa
 
Basic linux commands
Basic linux commandsBasic linux commands
Basic linux commandsNguyen Vinh
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windowsAccenture
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemyushiang fu
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfjyothimuppasani1
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manualSaikat Rakshit
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manualCraig Cannon
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdfGiovaRossi
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdfGiovaRossi
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdfGiovaRossi
 

Ähnlich wie Memory Forensics Volatility2.4 (20)

Basic command for linux
Basic command for linuxBasic command for linux
Basic command for linux
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
List command linux fidora
List command linux fidoraList command linux fidora
List command linux fidora
 
Terminal linux commands_ Fedora based
Terminal linux commands_ Fedora basedTerminal linux commands_ Fedora based
Terminal linux commands_ Fedora based
 
Unix commands
Unix commandsUnix commands
Unix commands
 
Basic linux commands
Basic linux commandsBasic linux commands
Basic linux commands
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Perf stat windows
Perf stat windowsPerf stat windows
Perf stat windows
 
Top ESXi command line v2.0
Top ESXi command line v2.0Top ESXi command line v2.0
Top ESXi command line v2.0
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Plesk CLI Wrapper
Plesk CLI WrapperPlesk CLI Wrapper
Plesk CLI Wrapper
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystem
 
File encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdfFile encryption. [32] Write a program which accepts a filename as a .pdf
File encryption. [32] Write a program which accepts a filename as a .pdf
 
sift_cheat_sheet.pdf
sift_cheat_sheet.pdfsift_cheat_sheet.pdf
sift_cheat_sheet.pdf
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manual
 
The one page linux manual
The one page linux manualThe one page linux manual
The one page linux manual
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 
unix_ref_card.pdf
unix_ref_card.pdfunix_ref_card.pdf
unix_ref_card.pdf
 

Mehr von Sunil Kumar

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of CryptographySunil Kumar
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of RansomwareSunil Kumar
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security PerspectiveSunil Kumar
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Sunil Kumar
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsSunil Kumar
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBISunil Kumar
 

Mehr von Sunil Kumar (7)

Basics of Cryptography
Basics of CryptographyBasics of Cryptography
Basics of Cryptography
 
3Es of Ransomware
3Es of Ransomware3Es of Ransomware
3Es of Ransomware
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Jsonp null-meet-02-2015
Jsonp null-meet-02-2015Jsonp null-meet-02-2015
Jsonp null-meet-02-2015
 
Dt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdontsDt5 varenni win_pcapdosdonts
Dt5 varenni win_pcapdosdonts
 
Nullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBINullcon 2011- Behaviour Analysis with DBI
Nullcon 2011- Behaviour Analysis with DBI
 

Kürzlich hochgeladen

The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesKrzysztofKkol1
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Copilot para Microsoft 365 y Power Platform Copilot
Copilot para Microsoft 365 y Power Platform CopilotCopilot para Microsoft 365 y Power Platform Copilot
Copilot para Microsoft 365 y Power Platform CopilotEdgard Alejos
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 

Kürzlich hochgeladen (20)

The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilitiesAmazon Bedrock in Action - presentation of the Bedrock's capabilities
Amazon Bedrock in Action - presentation of the Bedrock's capabilities
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Copilot para Microsoft 365 y Power Platform Copilot
Copilot para Microsoft 365 y Power Platform CopilotCopilot para Microsoft 365 y Power Platform Copilot
Copilot para Microsoft 365 y Power Platform Copilot
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 

Memory Forensics Volatility2.4

  • 1. { Null Humla Session 0.1 Memory forensics with Volatility2.4
  • 2.  Usage  Vol.py –f image --profile=(imageinfo) –plugins  -f parameter  It is used to locate the source memory image  Vol.py –f sality.vmem  imageinfo  To identify the memory image  Vol.py –f sality.vmem imageinfo  Vol.py –f sality.vmem –proflie=WinXPSP2x86 connscan Steps in Analysing
  • 3. pstree  Prints the process list in tree structure. Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 pstree
  • 4. Connscan  Scans for tcp connections Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 connscan
  • 5.  Lets run the pstree command again….. Interesting connections ??
  • 6. Printkey  Print a registry key and its subkey and values Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsCurrentVersionRun” Vol.py –f zeus.vmem –profile =WinXPSP2x8 6 printkey –K “MicrosoftWindowsNTCurrentVersion Winlogon”
  • 7. Malfind  Find hidden or injected code/Dll Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind –dump-dir ~/code-injections
  • 8. Vol.py –f zeus.vmem –profile =WinXPSP2x86 malfind -p 856 –dump-dir ~/code-injections Too much data ?? Let’s narrow it down !!!
  • 9. Vol.py –f zeus.vmem printkey –K “ControlSet001ServicesSharedAccess ParametersFirewallPolicyStandard Profile” This malware shutdowns firewall also …..

Hinweis der Redaktion

  1. We have to select a profile since by default It takes winxpsp2x86
  2. Looks like there is nothing wrong with the process… see if its making any connections Run plugins sockets also ….
  3. SEE WHO OWNS THE PROCESS AND WHO IS ITS PARENTS RUN THE IP IN VIRUS TOTAL AND SEE
  4. IF its connecting to a site… it will make sure to be persistant .. Since it doesn’t make sense it will loose connection on restart …. Lets look into registries for autorun entries …. Lot of entries in registry …. We have to try all.
  5. These are possible code injections … but the exe you get here is not the whole process but only the injected part …. You can always load it in vm and start your normal analysis. IF you want whole process dump then the parameter is procdump –p id dump-dir
  6. -p parameter to select a particular process … You can take a hash of it and always find something on the virus total. take an md5sum of both file and submit to virus total.
  7. This malwares shutdowns the fireswall also …